How to find hacked WordPress files

Most WordPress hacks contain certain php code. It’s always better to catch the hack as soon as you can. Before customers start to ring, before the hack spreads and causes worse problems.

Following is a bash script that you can use to find potential hacked WordPress accounts.

 

if find /home/ -mtime -1 -type f -name '*.php*' | xargs grep -P -l '^(?=[\s]*+[^#])[^#|^\*]*(eval *\()' | xargs grep -l -E "str_replace *\(|gzinflate *\(|base64_decode *\("|grep -v -f /etc/scripts/findPhpHackedFiles.exclude; then
     echo found hacked files;
	#send an email alert or similar
fi

The -1 above is the number of days to check, if you run the scripts from /etc/cron.daily/ then -1 is appropriate.

You need an exclude file, as some common plugins behave like hacked code, here are some of the entries you’ll need

 

virtfs
quarantine
plugins/worker/functions.php
beaver
thrive

 

By Scott Farrell on January 13th, 2018 , Follow @scott_WordPress Tweet to @scott_WordPress